Your virus removal process...when to nuke?

Thought I'd have to N&P today.

New version of XP Antivirus Pro 2010

It turned of everything, closed all permissions to the built in administrator, real b_st_rd.

Something also deleted all the user accounts, and moved the data into the administrator's. Spooky. Even more spooky something changed the password for the administrator to the one for one of the deleted users.

I note that a couple af years ago the av.exe file size was listed as 27k.
This one is 182k.

Anyway it's dead now, due to some combination punching.
 
Something also deleted all the user accounts, and moved the data into the administrator's. Spooky. Even more spooky something changed the password for the administrator to the one for one of the deleted users.
Click to expand...

[x files theme tune starts to play in the background]
 
I'm leaning towards a nuke & pave with this one. Nothing important on it as it's used by the kids in a family room. My only issue is that I know in a few weeks......nah, who am I kidding.....in a few days it will probably be like this again :D
 

Attachments

  • untitled01.jpg
    untitled01.jpg
    45.9 KB · Views: 97
studiot said:
how much of that is tracking cookies?
Click to expand...

None. Before running scans I always perform a disc cleanup which includes deleting cookies and temporary Internet files. I always ask the end user if they save usernames and passwords in web forms before doing so and make sure they know what they are ;)
 
Malware removal is definitely my specialty, and probably 99.9% of the time I never resort to a nuke. I find even rootkit removal fairly routine when it's performed offline with competent signature verification utilities and some file access/creation checks. Most everything else can be identified from within the running OS if it's possible to do so (and removed offline if desired) using special listing tools that go low-level and gather all of the relevant info (even MD5 hashes of critical system files!).

I rather enjoy the disinfection process myself these days, and I have finally honed my skills in the area to the point where I can disinfect nearly any machine within around two hours of actual attentive work. About the only time I ever resort to a nuke/reinstall is in the case of irreversible file infectors such as some variants of Virut.
 
Alan22 said:
None. Before running scans I always perform a disc cleanup which includes deleting cookies and temporary Internet files. I always ask the end user if they save usernames and passwords in web forms before doing so and make sure they know what they are ;)
Click to expand...

Before running any scans I clean up (so there are less files to scan) but I always leave the cookies and passwords. Remember that these are used for banking, shopping and other websites and the clients have gotten used to them. I think the benefit to browsing speed it offset by the client's phone call that they cannot get to their "BeanyBabiesFanatics.com" account.
 
atlanticjim said:
Before running any scans I clean up (so there are less files to scan) but I always leave the cookies and passwords. Remember that these are used for banking, shopping and other websites and the clients have gotten used to them. I think the benefit to browsing speed it offset by the client's phone call that they cannot get to their "BeanyBabiesFanatics.com" account.
Click to expand...

I'm always on the fence with this, but lean towards nuking the cookies. As mentioned, I always ask if they save usernames & passwords in web forms and make sure they know what they are before I do anything. Password retrieval is easy anyway. Really, I've never had a situation where someone couldn't get back into their accounts.......except for AOL, and that's a topic that I'm sure none of us want to discuss :p

I never liked storing usernames & passwords in the browser. I always say, what if your home/business is broken into and the computer is stolen (this has happened to some clients). Someone with even little knowledge can view the browsing history and have access to accounts. This is especially true for laptops that have greater theft incident than desktops.

Anyway, in this case it was a computer used by the kids in a family room. Nothing important on it, but saved some homework docs, music & pictures - not enough to fill a CD.
 
Backup first....

Not sure about what everyone does but before i start working on a computer, i always make an image copy first to an external hard drive. Reason being is that sometimes the cure is can worse then the disease. Making an image of the computer before working on it has saved my BUTT many times. Yes its a pain in the ass because sometimes it takes like 20min to an hour, but the way i see it the clients data is backup and saved.

After that, then i dig in and start the long process of going after the virus and other malware crap. Your clients will thank you for taking the time to ensure there data is backed up just incase things go badly.

Now thats just my way of doing things. Just looking out for my clients first...

--Jose--
 
kagman said:
Not sure about what everyone does but before i start working on a computer, i always make an image copy first to an external hard drive
Click to expand...

what's your preferred imaging s/w? do you just do the file/folder data or a full on sector-by-sector?

also, do you do the image to a file, or to another hdd?
 
I generally use Acronis True Image bootable media for this step... I have it set as one of the boot options on my USB drive, which is awesome. It takes a while to backup but generally seems to be pretty quick in comparison to other tools.

Oh, and I simply create a file-based image to an external USB drive... not sector-by-sector unless the disk health is in question, and in that case, I use the much more expensive RecoverSoft Media Tools Pro that I blew $400 on. :P
 
I use a small simple image program called drivesnap shot. It's like 2mb long and works well. Usually I boot using a ubcdw then run the program. I do a full image backup of the data. Now I usually keep the image for a week just incase I get call back about the computer not working . Client is told that I've made a backup just incase something goes wrong.
 
I guess it's handy to have an image if the customer refuses to pay while you've still got the PC in your possession, you can simply re-image back to how it was before you started cleaning
 
Hey we tell people to backup there data all the time, and people still dont do it. So making an image is a prefect backup :)

Now i am always looking for other great programs that make system images. What do you all use?

--Jose--
 
This is what I do...

Ensure data is backed up/disclaimer signed
Observe the issues as described (including right clicking taskbar to see if task manager has been disabled)
Restart in Safe Mode
Msconfig, disable all, observe path of malware, nuke it.
Restart in normal mode
Re-observe (if no good, then try running process killers in order to run the next section)
Cleanup softwares (CCleaner, DiskMax, ATF Cleaner etc)
TrojanRemover (simplysup.com - awesome tool)
Malwarebytes, Spybot etc
Virus scan using their own scanner, with updated definitions.
Glary Reg scanner, another awesome tool.
Internet Explorer options, check no proxys, ensure Lan is ticked
Run various tools to re-enable any restrictions caused by malware
Sit back and pretty much know jobs a goodun :)
Turn off system restore (to empty, in case of issues in prev restore points)
Without restarting, Turn on system restore, create a new restore point.
Any O/S tweaks I feel wud benefit customer.
Defrag of course.

If I needed too.. id run ComboFix..but only if really necersary.. as I got caught out a month or so ago with a bug in it.. which moved a customers pics and stuff elsewhere on the machine.. giving me high blood pressure.

If the above didnt work, id slave the drive.. and run other scanners on it.
Id also probably try some sort of Live CD on it..
 
Next point. MBAM is designed to work in a normally booted environment.
Slave the drive and MBAM will only remove a portion of the offending
rogue because it has not generated the random exe files that cause the rogue's behavior.
Click to expand...
What about using other anti-virus software (Security Essentials, Avast, Norton) while slaving the drive to your bench test computer for scanning? Will stuff be missed?

One thing I've noticed about anti-virus boot CD's is that they actually write data TO the subject drive. That's one reason why I connect drives as slaves to my bench test computer. I tested a Kaspersky boot CD on a healthy drive and the thing caused my test drive to become unbootable. I may have selected to delete files instead of quarantine. Most AV product already have a recommendation as to whether to delete or quarantine. Not sure why Kaspersky doesn't.

Interestingly I recently ran Security Essentials, Avast, and Avira scans on an infected drive (connected as a slave to my bench test computer) and ALL THREE MISSED the Security Tool trojan. This was only about a month ago after ST had been discovered like 4 months earlier. I had to manually remove it. I wonder why it missed it. Could it be because I had the infected drive connected as a slave drive?
 
Last edited:
You must log in or register to reply here.

Similar threads

Blue House Computer Help
Rootkit scanning and removal
2
Replies
20
Views
598
Sky-Knight
Sky-Knight
DRPCNZ
Scanning to email from Printer
Replies
17
Views
384
DRPCNZ
DRPCNZ
thecomputerguy
Where the heck is the Ricoh scan software?
2
Replies
26
Views
739
HCHTech
HCHTech
johnrobert
Mac Mail
Replies
6
Views
203
timeshifter
timeshifter
Rigo
Assessing and cleaning up scam compromised computer-phones
Replies
19
Views
1K
britechguy
britechguy
Back
Top